Chapter 1 Cryptographic Concepts and Techniques
Pseudo-Random Number Generation
Cryptographic Applications and Proper/Improper Implementations
Implications of Cryptographic Methods and Design
Strength Versus Performance Versus Feasibility to Implement Versus Interoperability
Digital Rights Management (DRM)
Secure Multipurpose Internet Mail Extensions (S/MIME)
Complete the Tables and Lists from Memory
Offsite or Multisite Replication
Chapter 3 Network and Security Components, Concepts, and Architectures
Advanced Network Design (Wired/Wireless)
IPv6 and Associated Transitional Technologies
Network Authentication Methods
Application- and Protocol-Aware Technologies
Passive Vulnerability Scanners
Virtual Networking and Security Components
Complex Network Security Solutions for Data Flow
Secure Configuration and Baselining of Networking and Security Components
Network Management and Monitoring Tools
Advanced Configuration of Routers, Switches, and Other Network Devices
Operational and Consumer Network-Enabled Devices
Physical Access Control Systems
Scientific/Industrial Equipment
Chapter 4 Security Controls for Hosts
Standard Operating Environment/Configuration Baselining
Application Whitelisting and Blacklisting
Security/Group Policy Implementation
Configuring Dedicated Interfaces
Security Advantages and Disadvantages of Virtualizing Servers
Container-Based Virtualization
Cloud-Augmented Security Services
Integrity Measurement Architecture (IMA)
Vulnerabilities Associated with Commingling of Hosts with Different Security Requirements
Virtual Desktop Infrastructure (VDI)
Terminal Services/Application Delivery Services
Hardware Security Module (HSM)
Chapter 5 Application Vulnerabilities and Security Controls
Web Application Security Design Considerations
Secure by Design, by Default, by Deployment
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Improper Error and Exception Handling
Improper Storage of Sensitive Data
Secure Cookie Storage and Transmission
Application Security Frameworks
Web Services Security (WS-Security)
Rapid Application Development (RAD)
Database Activity Monitoring (DAM)
Web Application Firewalls (WAF)
Client-Side Processing Versus Server-Side Processing
Part II: Risk Management and Incident Response
Chapter 6 Business Influences and Associated Security Risks
Risk Management of New Products, New Technologies, and User Behaviors
New or Changing Business Models/Strategies
Merger and Demerger/Divestiture
Security Concerns of Integrating Diverse Industries
Ensuring That Third-Party Providers Have Requisite Levels of Information Security
Internal and External Influences
Internal and External Client Requirements
BYOD (“Bring Your Own Device”)
Chapter 7 Risk Mitigation Planning, Strategies, and Controls
Classify Information Types into Levels of CIA Based on Organization/Industry
Information Classification and Life Cycle
Commercial Business Classifications
Military and Government Classifications
Incorporate Stakeholder Input into CIA Decisions
Implement Technical Controls Based on CIA Requirements and Policies of the Organization
Administrative (Management) Controls
Security Requirements Traceability Matrix (SRTM)
Determine the Aggregate CIA Score
Extreme Scenario/Worst-Case Scenario Planning
Determine Minimum Required Security Controls Based on Aggregate Score
Conduct System-Specific Risk Analysis
Recommend Which Strategy Should be Applied Based on Risk Appetite
Information and Asset (Tangible/Intangible) Value and Costs
Vulnerabilities and Threats Identification
Enterprise Security Architecture Frameworks
Sherwood Applied Business Security Architecture (SABSA)
Control Objectives for Information and Related Technology (CobiT)
Continuous Improvement/Monitoring
Business Continuity Scope and Plan
Organizational Security Policy
System-Specific Security Policy
Issue-Specific Security Policy
Complete the Tables and Lists from Memory
Chapter 8 Security, Privacy Policies, and Procedures
Policy Development and Updates in Light of New Business, Technology, Risks, and Environment Changes
Process/Procedure Development and Updates in Light of Policy, Environment, and Business Changes
Support Legal Compliance and Advocacy by Partnering with HR, Legal, Management, and Other Entities
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA) of 1999
Computer Fraud and Abuse Act (CFAA)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Payment Card Industry Data Security Standard (PCI DSS)
Federal Information Security Management Act (FISMA) of 2002
Economic Espionage Act of 1996
Health Care and Education Reconciliation Act of 2010
Use Common Business Documents to Support Security
Risk Assessment (RA)/Statement of Applicability (SOA)
Business Impact Analysis (BIA)
Business Impact Analysis (BIA) Development
Interoperability Agreement (IA)
Interconnection Security Agreement (ISA)
Memorandum of Understanding (MOU)
Operating-Level Agreement (OLA)
Business Partnership Agreement (BPA)
Use General Privacy Principles for Sensitive Information (PII)
Support the Development of Various Policies
Incident Response Team and Incident Investigations
Rules of Engagement, Authorization, and Scope
Employment and Termination Procedures
Training and Awareness for Users
Auditing Requirements and Frequency
Chapter 9 Incident Response and Recovery Procedures
Electronic Inventory and Asset Control
Design Systems to Facilitate Incident Response
Internal and External Violations
Non-Malicious Threats/Misconfigurations
Establish and Review System, Audit and Security Logs
Incident and Emergency Response
Surveillance, Search, and Seizure
Forensic Analysis of Compromised System
Hardware/Embedded Device Analysis
Continuity of Operations Plan (COOP)
Part III: Research, Analysis, and Assessment
New Security Systems and Services
Knowledge of Current Vulnerabilities and Threats
Vulnerability Management Systems
Zero-Day Mitigating Controls and Remediation
Research Security Implications of New Business Tools
Integration Within the Business
Computer Emergency Response Team (CERT)
Emerging Threat Sources/Threat Intelligence
Research Security Requirements for Contracts
Chapter 11 Securing the Enterprise
Create Benchmarks and Compare to Baselines
Prototype and Test Multiple Solutions
Metrics Collection and Analysis
Analyze and Interpret Trend Data to Anticipate Cyber Defense Needs
Review Effectiveness of Existing Security Controls
Reverse Engineer/Deconstruct Existing Solutions
Analyze Security Solution Attributes to Ensure They Meet Business Needs
Conduct a Lessons-Learned/After-Action Report
Use Judgment to Solve Difficult Problems That Do Not Have a Best Solution
Chapter 12 Assessment Tools and Methods
Passive Reconnaissance and Intelligence-Gathering Tools
Memory Dumping, Runtime Debugging
Part IV: Integration of Computing, Communications, and Business Disciplines
Chapter 13 Business Unit Collaboration
Interpreting Security Requirements and Goals to Communicate with Stakeholders from Other Disciplines
Management/Executive Management
Provide Objective Guidance and Impartial Recommendations to Staff and Senior Management on Security Processes and Controls
Establish Effective Collaboration within Teams to Implement Secure Solutions
Chapter 14 Secure Communication and Collaboration
Security of Unified Collaboration Tools
Over-the-Air Technologies Concerns
FHSS, DSSS, OFDM, FDMA, CDMA, OFDMA, and GSM
Cellular or Mobile Wireless Techniques
Infrastructure Mode Versus Ad Hoc Mode
Personal Versus Enterprise WPA
Chapter 15 Security Across the Technology Life Cycle
Systems Development Life Cycle (SDLC)
Security System Development Life Cycle (SSDLC)/Security Development Life Cycle (SDL)
Security Requirements Traceability Matrix (SRTM)
Validation and Acceptance Testing
Security Implications of Agile, Waterfall, and Spiral Software Development Methodologies
Adapt Solutions to Address Emerging Threats and Security Trends
Asset Management (Inventory Control)
Object Tracking and Containment Technologies
Part V: Technical Integration of Enterprise Components
Chapter 16 Host, Storage, Network, and Application Integration into a Secure Enterprise Architecture
Secure Data Flows to Meet Changing Business Needs
Legacy Systems/Current Systems
In-House Developed Versus Commercial Versus Commercial Customized Applications
Cloud and Virtualization Considerations and Hosting Options
Vulnerabilities Associated with a Single Platform Hosting Multiple Companies’ Virtual Machines
Secure Use of On-demand/Elastic Cloud Computing
Resource Provisioning and Deprovisioning
Securing Virtual Environments, Services, Applications, Appliances, and Equipment
Design Considerations During Mergers, Acquisitions, and Demergers/Divestitures
Network Secure Segmentation and Delegation
Logical and Physical Deployment Diagrams of Relevant Devices
Storage Integration (Security Considerations)
Enterprise Application Integration Enablers
Chapter 17 Authentication and Authorization Technologies
Identity and Account Management
Dual-Factor and Multi-Factor Authentication
Certificate-Based Authentication
Content-Dependent Versus Context-Dependent Access Control
Appendix B CASP CAS-002 Exam Updates
Always Get the Latest at the Companion Website
CD-only Elements: